如何在PHP页面之间共享数据?
[英]how can i share data between PHP pages?
问题描述
I have a PHP page and I want to share some data between pages like UserID, password. 
我有一个PHP页面,我想在页面之间共享一些数据,例如UserID,密码。
I'm learning about sessions and I'm not sure if Im using it correctly. 我正在学习会话,不确定我是否正确使用了会话。
<?php
require_once('database.inc');
$kUserID = $_POST['kUserID'];
$kPassword = $_POST['kPassword'];
if (!isset($kUserID) || !isset($kPassword)) {
header( "Location: http://domain/index.html" );
}
elseif (empty($kUserID) || empty($kPassword)) {
header( "Location: http://domain/index.html" );
}
else {
$user = addslashes($_POST['kUserID']);
$pass = md5($_POST['kPassword']);
$db = mysql_connect("$sHostname:$sPort", $sUsername, $sPassword) or die(mysql_error());
mysql_select_db($sDatabase) or die ("Couldn't select the database.");
$sqlQuery = "select * from allowedUsers where UserID='" . $kUserID . "' AND passwordID='" . $kPassword . "'";
$result=mysql_query($sqlQuery, $db);
$rowCheck = mysql_num_rows($result);
if($rowCheck > 0){
while($row = mysql_fetch_array($result)){
session_start();
session_register('kUserID');
header( "Location: link.php" );
}
}
else {
echo 'Incorrect login name or password. Please try again.';
}
}
?>
6 个解决方案
解决方案1
13 已采纳 2010-02-24 01:50:57
For the love of all that is holy, don't use addslashes to prevent SQL injection . 出于对神圣事物的热爱, 请不要使用添加斜杠来防止SQL注入 。
I just owned your site: 我刚刚拥有您的网站:
Image of your ownt site http://localhostr.com/files/8f996b/Screen+shot+2010-02-23+at+7.49.00+PM.png 您自己网站的图片http://localhostr.com/files/8f996b/Screen+shot+2010-02-23+at+7.49.00+PM.png
Edit : Even worse. 编辑 :更糟。
I just noticed that you're attempt at preventing injection via addslashes, isn't even being used! 我只是注意到您正在尝试通过加号防止注入,甚至没有被使用!
<?php
$kUserID = $_POST['kUserID'];
$user = addslashes($_POST['kUserID']); // this isn't used
$sqlQuery = "select * from allowedUsers where UserID='"
. $kUserID . "' AND passwordID='" . $kPassword . "'";
解决方案2
4 2010-02-24 01:40:13
Be aware that session_register() is deprecated in favor of assigning values to the $_SESSION superglobal, eg 请注意,不赞成使用session_register()来为$ _SESSION超全局变量赋值,例如
<?php
$_SESSION['hashedValue']= '437b930db84b8079c2dd804a71936b5f';
?>
Also be aware that anything stored in a session, especially in a shared-server environment, is fair game. 还应注意,会话中存储的任何东西,尤其是在共享服务器环境中,都是公平的游戏。 Never store a password, regardless of whether it's hashed or encrypted. 永远不要存储密码,无论它是散列还是加密的。 I would avoid storing a username as well. 我也避免存储用户名。 If you must use some authentication mechanism between pages using a session variable, I'd recommend using a second lookup table, eg logins , and store the username, login time, etc in that table. 如果必须在使用会话变量的页面之间使用某种身份验证机制,则建议使用第二个查找表,例如logins ,并将用户名,登录时间等存储在该表中。 A hashed value from that table is stored in the session, and each page request checks the time in the table and the hashed value against the database. 该表中的哈希值存储在会话中,每个页面请求都会检查表中的时间以及哈希值是否与数据库相对应。 If the request is either too old or the hash doesn't match, force re-login. 如果请求太旧或哈希值不匹配,请强制重新登录。
All this and more is available to you in the PHP manual section on sessions . 所有这些以及更多内容都可以在会话的PHP手册部分中找到 。
解决方案3
2 2010-02-24 15:50:58
You might also wanna rename "database.inc" to "database.inc.php", or properly setup your host to treat ".inc" as PHP: 您可能还想将“ database.inc”重命名为“ database.inc.php”,或正确设置主机以将“ .inc”视为PHP:
http://www.namemybabyboy.com/database.inc http://www.namemybabyboy.com/database.inc
<?php
$sDatabase = 'shayaanpsp';
$sHostname = 'mysql5.brinkster.com';
$sPort = 3306;
$sUsername = 'shayaanpsp';
$sPassword = 'XXXX';
$sTable = 'allowedUsers';
?>
解决方案4
1 2010-02-24 01:42:56
First, you need to put session_start() at the very beginning of your script. 首先,您需要将session_start()放在脚本的最开始。 It also needs to go at the start of every script that uses session data. 它还需要在每个使用会话数据的脚本的开头执行。 So it would also go at the top of babyRegistration.php. 因此,它也将放在babyRegistration.php的顶部。
Second, I would strongly recommend against using session_register() as it relies on register_globals which is off by default for security reasons. 其次,我强烈建议您不要使用session_register()因为它依赖于register_globals,出于安全原因,该寄存器默认情况下处于关闭状态。 You can read more here: http://php.net/manual/en/security.globals.php . 您可以在此处了解更多信息: http : //php.net/manual/zh/security.globals.php 。 You can add/access session variables by using the $_SESSION superglobal: 您可以使用$_SESSION超全局变量来添加/访问会话变量:
$_SESSION['kUserID'] = $kUserID;
Last, not really session related, just an observation, your isset check at the top is redundant; 最后,与会话没有真正的关系,只是一个观察,顶部的isset检查是多余的; empty will return true for an unset/NULL variable, just as you might expect. 就像您期望的那样,empty将为unset / NULL变量返回true。
解决方案5
0 2010-02-24 01:57:28
At the top of a page 在页面顶部
session_start();
$_SESSION['yourvarname']='some value';
then on some other page to retrieve 然后在其他页面上检索
echo $_SESSION['yourvarname'];
// some value
Oh and about injection,use this on everything going into your db http://us3.php.net/manual/en/function.mysql-real-escape-string.php 哦,关于注入,请在进入数据库的所有内容中使用它http://us3.php.net/manual/zh/function.mysql-real-escape-string.php
解决方案6
0 2019-08-05 17:51:15
Just because almost everything turned into avoiding SQL injections. 仅仅因为几乎所有事情都变成了避免SQL注入。 Escaping string is not going to save you from SQL injections. 转义字符串不会使您免于SQL注入。 The correct way is using prepared statements. 正确的方法是使用准备好的语句。 https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php https://www.php.net/manual/zh/mysqli.quickstart.prepared-statements.php
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.